Security overview
Download PDFThis document provides a summary of the technical and organisational measures we apply to protect the information entrusted to us by our customers. It is intended for the use of security teams, procurement teams, and compliance reviewers evaluating Vexta CMO. For the contractual treatment of personal data please refer to our Data Processing Addendum. For a list of the third parties involved in delivering the service see our Sub-processors page.
Security Program Overview
Our information security program is designed around the confidentiality, integrity, and availability of customer information. The program follows recognised industry frameworks and is reviewed by management on a regular basis. The program is supported by documented policies and procedures, periodic risk assessments, role-based responsibilities, and ongoing personnel awareness activities. We adopt a defence-in-depth posture and aim to apply security controls at the network, infrastructure, application, operational, and personnel layers.
Encryption
Customer data is protected by encryption at rest and in transit using industry-standard cryptographic techniques. Sensitive information such as API credentials, integration tokens, and other secrets are encrypted at rest using strong symmetric encryption with authenticated cipher modes. Encryption keys are managed in accordance with our key-management procedures, including separation of duties and access logging. All network communications between customer endpoints and our services are protected with current versions of the Transport Layer Security protocol, configured to prefer modern cipher suites and forward secrecy. Where the platform issues custom-domain certificates for white-label deployments, certificates are obtained and renewed automatically through an established certificate authority.
Identity and Access Management
Authentication to the platform is performed using salted and cryptographically strong password hashing. Customer accounts may enable an additional time-based one-time-password second factor. Session management uses signed, time-limited credentials supported by a revocation mechanism that allows administrators to terminate active sessions immediately. Role-based access controls separate platform operators, workspace administrators, regular workspace users, and limited-access client users. Workspace administrators can further constrain access at the level of individual managed accounts and through granular permission flags. All administrative and platform-operator activity is recorded in the audit log. Sensitive operations performed by platform staff are limited to named individuals on a least-privilege basis and are subject to review.
Audit Logging
Every state-changing action performed through the platform is captured in an internal audit log, including the identity of the actor, the affected target, network metadata, and a structured description of the action. Audit records are retained in accordance with our retention policy and are available for export by customers in commonly used formats. Where customer administrators have been granted the appropriate permission, they can review the audit trail for their own workspace using in-product tooling.
Backups and Recovery
Customer data is backed up on a regular schedule. Backups are encrypted in transit and at rest and are stored on durable infrastructure. We follow a documented restoration procedure and verify the integrity of backups through periodic restoration exercises. Backups follow a rolling retention window appropriate to the operational and recovery requirements of the service.
Network and Infrastructure
The platform operates on professionally managed infrastructure in the European Union, with the use of a global content-delivery network and edge protection services for performance and availability. Network controls limit administrative access to production systems to authorised personnel and known network locations. Production environments are isolated from non-production environments and require explicit grants to access. We use a change-management process to govern modifications to production infrastructure and applications.
Application Security
Our software development practices include peer review of application changes, static and dynamic analysis where appropriate, dependency monitoring for known vulnerabilities, and the use of well-maintained third-party libraries. We follow industry-standard guidance for the secure design of web applications, including protections against injection attacks, cross-site scripting, cross-site request forgery, insecure deserialization, broken access control, and similar classes of vulnerability. Security relevant changes are reviewed prior to deployment.
Vulnerability Management
We monitor for newly disclosed vulnerabilities in our application stack and third-party dependencies and apply remediations on a risk-based timeline. Severe vulnerabilities are prioritized for immediate response. We invite security researchers and customers to report suspected vulnerabilities through our published security contact.
Data Segregation and Tenancy
The platform is a multi-tenant service. Customer data is logically segregated at the application layer so that each customer can only access its own data. Authorisation checks are applied on every request, and integration and configuration data for each customer are independently managed.
Personnel
Personnel with access to customer data are bound by confidentiality obligations and are required to complete security awareness training. Access to production systems is granted on a need-to-know basis, requires multi-factor authentication, and is reviewed regularly. Employment background checks are conducted to the extent permitted by applicable law.
Incident Response
We maintain a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Where an incident affects customer personal data we will notify affected customers in accordance with our Data Processing Addendum and applicable law. Customers and external parties may report suspected security incidents via the published security contact email.
Business Continuity
We maintain procedures to support service continuity in the event of significant operational disruption. These include redundancy in critical components, scheduled and tested backup and restoration routines, and documented runbooks for common failure modes.
Compliance Posture
We design our controls to align with widely recognised security and privacy frameworks. We support our customers' compliance obligations under regulations such as the General Data Protection Regulation, the United Kingdom General Data Protection Regulation, the California Consumer Privacy Act and the California Privacy Rights Act, and the Digital Personal Data Protection Act of India, among others. Additional certifications may be added over time; please contact us for the current status of our certifications and third-party assessments.
Customer Responsibilities
Security is a shared responsibility. Customers should establish strong authentication practices for their users, enable multi-factor authentication where available, manage access for their authorised users in accordance with the principle of least privilege, promptly revoke access when no longer required, treat access credentials and tokens as confidential, and configure their use of the platform consistent with their own risk profile and compliance requirements.
Reporting a Security Concern
Suspected security incidents, vulnerabilities, or other security concerns may be reported by email to [email protected]. We aim to acknowledge receipt of security reports within one business day. Sensitive disclosures can be sent under non-disclosure terms on request.
Last updated: 2026-05-17. Security teams seeking more detailed information than is provided here should email the address above; we typically respond to questionnaires within five business days.